HTTP (Hyper Text Transfer Protocol) is the standard protocol used for the transfer of information over the internet, usually in the form of web based documents (web pages). The biggest problem that HTTP faces is the fact that all information is sent via clear text and unencrypted. Some web pages will embed security algorithms using JavaScript and other languages to encrypt data such as passwords but this scenario is not ideal and does not offer the high level of security that confidential details require.
This is where HTTPS (Hyper Text Transfer Protocol Secure) comes in. HTTPS works and operates in the same way as HTTP except all data sent between the client and server is encrypted. When a client establishes a web connection using HTTPS it will firstly check the certificate that the site is using to ensure that it is legitimate and not a ‘man in the middle’ attack. It will then negotiate what kind of encryption to use, the type of encryption and the strength of the key which will depend on what the server is offering.
The client and server will then exchange unique encryption keys which will be used to encrypt the data. With only the client and server having these keys, anybody intercepting the information will not be able to decrypt it. All information is then sent securely. It is important to understand that HTTPS will do nothing to address the flow of data, i.e. using a packet sniffer on a local network an attacker could still intercept data, however the data would be useless to the attacker. Decrypting a typical key used in HTTPS is not practical and could realistically take hundreds of years even with a very powerful computer.
The other differences between HTTP and HTTPS are the source TCP port that the server uses. By default http will use port 80 and https will use 443. This is done to separate all http and https communications and allows a web server to run secure and non secure sections of the website at the same time.
HTTPS is typically used for online banking and other financial websites which require a high level of security. You will be able to tell whether the site you are visiting is using HTTPS or not, if it is then the address will be prefixed by https:// you will also usually see the padlock icon either in the address bar or at the bottom. Clicking on this should give you information about the site and details of the key strength it uses.
It is worth noting that HTTPS is inherently slower than normal HTTP. This is due to the extra overhead that is created in:
- Verifying the identity of the website.
- Exchanging unique keys from client and server.
- Encrypting data before sending.
- Decryption data one it is received.
This extra overhead is a small price to pay for the very strong security that HTTPS offers.
